LabMD joins Wyndham in challenging FTC’s data privacy authority

Section 5 of the Federal Trade Commission Act — the Act that established the FTC in the first place — makes it unlawful to engage in “unfair methods of competition … and unfair or deceptive acts or practices…” Though the words seem simple enough, its application in today’s world is anything but simple, particularly when you talk about data privacy. Two companies — Wyndham Worldwide Corp. and LabMD Inc. — are publicly, and independently, challenging the FTC’s authority over their data security policies (and subsequent lapses). This post is a quick update about LabMD’s challenge.

In August 2013, the FTC filed an administrative complaint against LabMD, alleging that it lacked appropriate data security and unreasonably exposed the health and personal data of its consumers. LabMD conducts clinical laboratory tests on patients and reports its finding to patients’ health care providers. In performing the needed tests, LabMD typically obtains personal information, including names, addresses, dates of birth, SSNs, bank account or credit card information, laboratory tests, test codes and results, diagnoses, clinical histories, and health insurance company names and policy numbers. LabMD possesses such data for approximately 1 million consumers.

The FTC charged that LabMD “failed to provide reasonable and appropriate security for personal information on its computer networks.” Among other things, the complaint states that LabMD failed to:

employ adequate measures to prevent employees from accessing personal information not needed to perform their jobs;

adequately train employees to safeguard personal information;

require employees, or other users with remote access to the networks, to use common authentication-related security measures; and

utilize readily available measures to prevent or detect unauthorized access to personal information on its computer networks.

The complaint cited a couple of examples of these lapses, which are instructive to anyone who holds personal data for customers. First, the FTC claimed that LabMD employees were allowed to send emails with patients’ personal information to their own personal email accounts. Second, LabMD allegedly failed to prevent employees from installing certain applications on their computers. As a result, an unauthorized file sharing application was installed on its networks and an insurance aging report containing personal information for approximately 9,300 consumers was found on Limewire, a peer-to-peer file sharing network.

A month ago, LabMD moved to dismiss the complaint arguing that “Section 5’s plain language does not authorize patient-information data-security regulation.” LabMD further argued that only HHS, and not the FTC, is empowered to regulate patient-information data-security practices. Additionally, LabMD takes issue with the manner in which the FTC is exercising its authority, arguing that because the FTC has not published data-security regulations, guidance or standards explaining what is forbidden or required by Section 5, it has “denied LabMD and others similarly situated constitutionally required fair notice, engaged in prohibited ex post facto enforcement, and, through this action, violated LabMD’s due process rights.”

FTC and HHS have concurrent and complementary jurisdiction to protect consumers’ personal information;

the FTC Act delegates broad power to the agency;

sector-specific data security laws only add new powers and do not imply that the FTC lacked power previously to regulate or enforce; and

the FTC Is not obligated to proceed by rulemaking.

The FTC has successfully fended off similar arguments in the past. Nevertheless, these challenges are gaining steam. In particular, as technology becomes ever more sophisticated and invasive, the need for a watchdog and clear rules governing data security become ever more apparent and necessary. Accordingly, query whether in the future some court might demand a clearer articulation of authority before allowing the FTC to continue on its current path. Query also whether the FTC will get its way and Congress will legislate the problem away by making the agency’s authority over data security and privacy more explicit.

Additional challenges are likely and at some point Congress will likely be forced to get involved. Every data breach and security lapse that happens will continue to garner public attention and a call for tighter regulation will not go away. Whichever way these challenges play out, there is clearly a need for oversight. The question is whether the FTC will be that oversight and, if so, through regulation or just enforcement. Stay tuned.

Porter Wright Morris & Arthur LLP

Porter Wright Morris & Arthur LLP offers this blog for general informational purposes only. The content of this blog is not intended as legal advice for any purpose, and you should not consider it as such advice or as a legal opinion on any matters. The information provided herein is subject to change without notice, and you may not rely upon any such information with regard to a particular matter or set of facts. Further, the use of the blog does not create, and is not intended to create, any attorney-client relationship between you and Porter Wright Morris & Arthur LLP or any individual lawyer in the firm. No such relationship will be considered to have been formed until we have had an opportunity to resolve any conflict of interest issues and have advised you, in writing, of the nature and scope of the legal services to be provided. Unless we establish an attorney-client relationship with you with regard to the particular matter, we will not treat any information that you may send to us, or submit as a comment to a blog article or entry, as confidential or privileged, and any unsolicited communications may be disclosed to other persons without regard to confidentiality considerations. Use of the blog is at your own risk, and the site is provided without warranty of any kind. We make no warranties of any kind regarding the accuracy or completeness of any information on this blog, and we make no representations regarding whether such information is reliable, up-to-date, or applicable to any particular situation. Porter Wright Morris & Arthur LLP expressly disclaims all liability for actions taken or not taken based on any or all of the contents of this blog, or for any damages resulting from your viewing and use of this blog.